Tuesday, 24 December 2013

Telegram secret chat geolocation leak.

UPD: I've just received  confirmation from Telegram, that a patched version was released a few  hours ago.  Here is the patch on github.

A few days ago Mr. Durov announced bug bounty for Telegram protocol decryption. Futher it will be shown how private data from a secret chat can be captured without any decryption methods due to a design failure.

Test environment:
- Android 4.3 launched in Virtual Box,
- Wireshark launched on host machine,
- HTC One with Android 4.0.3,
- Telegram 1.3.800 (in virtual box)

Let's install Telegram and create users Alice and Bob. After that, we are creating acconts in Telegram and adding each device to other's contact list.

Now we are starting a secret chat:

Sending a test message:

As we can see in wireshark - all data goes through SSL, and looks encrypted.

But what if we'll try to send attachment, for example a geolocation? Geolocations of secret chat members could be quit interesting in some cases :)? Let's tap 'send' button...

Bum!! We've got a clear-text TCP session!  Let's take a look a bit closer..

Telegarm uses a default unencrypted google-maps API to resolve map snippet. From a security and anonimity point of view this is THE fail. It means that a person who controls the channel can capture all "geo-attachments" going through a secret chat in both ways (incoming and outgoing) using just a passive sniffer.

In practice,  if  Mr. Snowden will send his geo-location using Telegram to someone, who is under NSA wiretapping, a tomahawk will be enough to make Gen. Alexander satisfied.


  1. Thank you for pointing that out! One of the Telegram apps for Android did use Google Maps in http-mode. The source code is fixed by now by the app developer, and the update is on its way to Play Market.

    Thank you for enabling us to make the Android app more secure.

    Please write us a couple of lines to security@telegram.org, we would like to reward the person who found the bug.

    Merry XMas,
    Telegram Team

  2. This comment has been removed by a blog administrator.

  3. Nice job)))
    Waiting for a response Durov?

  4. After installing telegram App a total stranger appeared on my connection.

  5. i have cracked telegram iOS encrypted messages. Where could i publish the code for it?

  6. can you contact me on captain@rainn.co

  7. Technology is developing by leaps and bounds. The Climate is changing with its own dynamic approach. Today cellular phones especially there functions and Android Apps In Pakistan Has Provided a great charm to technology and all.

  8. This is really awesome. Full of knowledge and latest information about web design.service web design

  9. Great! Thanks for sharing the information. That is very helpful for increasing my knowledge in this fiel
    Red Ball | | duck life | Slitherio
    Red Ball 2 | Red Ball 3 | Red Ball 4

  10. Thanks for sharing with us telegram secrets, its android App is not so good and nor it is up to date, but I don't know about the recent progress of app, whether they fix the problems or not.

    Dental Websites Optimized360 dental websites to flourish your dental practice.

  11. Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!
    five nights at freddy's 3 | five nights at freddy's 2 | fireboy and watergirl 3 | 2048 game online | duck life 3 | fireboy and watergirl 6